DonBot starts vigorous social networking campaign
This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.
As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.
The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.
Second, the image itself is a link to a Twitter account, an attempt to get past link signatures as Twitter is a legitimate site that couldn’t be stopped without stopping a huge amount of perfectly innocent e-mails as well. The Twitter update that it links to is a short message telling people they could earn a certain amount of money per day, and provides a link to follow. A large number of Twitter accounts are used and they seem to be a mixture of hijacked accounts (quite old, and have genuine looking updates) and false accounts set up purely for the purpose of spamming (not very old, only contain spam-like links).
There are a few websites links at the end of the trail and all are similar containing a story explaining how the victim could make large amounts of money for very little effort, then a step by step list of things to do in order to start making this money. The first of which is to fill out a form and give a small “trial” fee. Some of these websites even include a photo of a “happy customer” holding a check for more than $29,000. This tactic attempts to increase the credibility of the scam.
We have also seen this scam being run through hijacked Facebook accounts, where the scammers have used a legitimate Facebook account which does not belong to them to post updates to the account’s ‘friend’ list. These updates contain links to the same Twitter accounts that are used by the e-mails.
Any website or e-mail claiming to have an offer to make easy money that seems too good to be true, almost certainly is. Don’t be fooled!
About Symantec Intelligence
The Symantec Intelligence Blog published by Symantec.cloud serves as a conduit for communicating Intelligence data, trends and statistics based on analysis of cyber security threats, trends and insights from the Symantec Intelligence team comprised of many world-renowned malware and spam experts. Sitting on the front lines of defense, they have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day. Filter by:
Recently on Twitter
- symanteccloud: Looking for a silver lining in the cloud? Look no further than #Symantec?s cloud solution http://t.co/r3tnommlNA #webcast11 Jun 2013
- symanteccloud: @dsfeiken We'll have more info to share soon but if you can DM with any specific requests, we'll do what we can to assist you07 Jun 2013
- symanteccloud: Don?t let your judgment be clouded. Join our #webcast & learn how #Symantec can help you benefit from the cloud http://t.co/r3tnommlNA07 Jun 2013
- symanteccloud: @dsfeiken @SYMCPartners Hi Dennis, here is a starting point for info on Backup Exec.cloud http://t.co/FBygw8SNxy05 Jun 2013
- symanteccloud: RT @SymantecSMB: Proper security adds value to your e-commerce site. What your small biz can do to build online trust: http://t.co/8e5P2m1P?05 Jun 2013